So for the past 2 weeks now we are absolutely getting hammered with calls in CSS Security here at MS with organizations contracting this piece of malware.
You can find write-ups from various AV companies at the following URL’s
So the write-up’s are all pretty good some have details that the others don’t etc. We see a range of cases it seems from customers missing the patch to those who are completely patched but are still seeing this piece of malware in their environment causing issues. The interesting thing about this piece of malware is that it is really singling out organizations that have not done a good job with their security policies/procedures. The MMPC group made a post about this piece of malware http://blogs.technet.com/mmpc/archive/2008/12/31/just-in-time-for-new-years.aspx where they linked http://technet.microsoft.com/en-us/library/cc512606.aspx Jesper’s password paper from 2005!!! This guidance and similar guidance has been out for 3+ years now and we still have customers that aren’t following it. I sometimes wonder if we should just push out a “critical update” that applies to all DC’s and updates their Default Domain and Default Domain Controller Policies for them to something more acceptable :) of course we would probable pull a lot of flack for that :) . /Rant Off
So things you should look at doing if you are hit with this:
I may add more to this possibly as it’s getting late my time and I’m sure it’s going to be another long day tomorrow. Hopefully this helps someone.